Author: Lloyd Fournier 2019-12-02 03:30:26
Published on: 2019-12-02T03:30:26+00:00
In this communication, the topic of Pedersen commitments is discussed in relation to MuSig R coin tossing. The Pedersen commitment commits to a tweak on `X`, which is revealed later so that `X` can be un-tweaked. It is suggested that using `X` for the contribution to `R` for a participant is not significantly different from using ElGamal commitments. The real question is what properties does the commitment scheme need to be appropriate for MuSig R coin tossing? In the security proof, the commitment hash is modeled as a random oracle rather than as an abstract commitment scheme. The author wonders if any MuSig author has an opinion on whether the H_com interaction can be generalized to a commitment scheme with certain properties (e.g equivocal, extractable). By the looks of it, the random oracle is never explicitly programmed except with randomly generated values so maybe there is hope that a non ROM commitment scheme can do the job.
Updated on: 2023-06-13T22:20:28.798176+00:00